Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring Junos OS Application Identification Custom Nested Application Definitions (CLI)
Application identification supports custom nested application definitions to detect nested applications as they pass through the device. When you configure custom definitions, make sure your definitions are unique.
Table 73 shows the comparison between custom and predefined configuration parameters for nested applications. These differences will ensure that custom nested application definitions are unique to the predefined definitions so they are not deleted when you update or delete the predefined application package.
Table 73: Custom Nested Application Definitions and Predefined Definitions
Predefined | Custom |
|---|---|
index range: 1 through 32767 | index range: 32768 through 65534 |
name prefix: junos | name prefix: not unique and must not be junos |
order field: unique for all applications and nested applications | order field: unique for all applications and nested applications |
Table 74 shows the available attributes for creating a custom nested application definition. The hierarchy level is [edit services application-identification nested-application nested-application-name].
Table 74: Custom Nested Application Definition Attributes
Attribute | Description |
|---|---|
nested-application-name | Name of the custom nested application definition. Must be a unique name with a maximum length of 32 characters. (Required) |
index | A number that is a one-to-one mapping to the nested application name. Must be unique with a maximum length of 32 bits. 1 through 1023 is reserved for predefined applications. (Required) |
protocol | The protocol that will be monitored to identify nested applications. HTTP is supported. |
Signature Attributes | |
signature name | Name of the custom nested application signature definition. Must be a unique name with a maximum length of 32 characters. (Required) |
chain-order | Signatures can contain multiple members. If chain-order is on, those members are read in order. The default for this option is no chain order. If a signature only contains one member, this option is ignored. |
maximum-transactions | The maximum number of transactions that should occur before a match is made. |
member name | Defines a member name for a custom nested application signature definition. Custom definitions can contain multiple members that define attributes for an application. (Member name range is m01 through m16) |
context | Defines a service specific context, such as http-url. |
direction | The connection direction of the packets to apply pattern matching. The options are any, client-to-server, or server-to-client. |
pattern | Define the dfa-pattern to match in the context. |
order | When there are multiple patterns matched for the same session, the lowest order number takes the highest priority. Must be unique. (Required) |
The following example identifies an application named “my-nested-app” for the nested application called Social-Website operating over HTTP.
To create a custom nested application definition:
- Set the application name you will use in your
policy for your custom application.[edit services application identification]user@host# set nested-application my-nested-app
- Set the application type.[edit services application identification]user@host# set nested-application my-nested-app type HTTP
- Set the index number.[edit services application identification]user@host# set nested-application my-app index 34000
- Set the signature information by starting
with the signature name my-nested-app-sig:Social-Website.[edit services application identification]user@host# set nested-application my-nested-app signature my-nested-app-sig:Social-Website
- Create a member named m01 for the signature
that defines the application attributes. (member name range is m01
through m16)[edit services application identification]user@host# set nested-application my-nested-app signature my-nested-app-sig:Social-Website member m01
- Set the context to be used for matching
the application.[edit services application identification]user@host# set nested-application my-nested-app signature my-nested-app-sig:Social-Website member m01 context http-header-host
- Set the pattern to match.[edit services application identification]user@host# set nested-application my-nested-app signature my-nested-app-sig:Social-Website member m01 pattern ".*(facebook\.com|fbcdn\.net)";
- Set the direction in which to match traffic.[edit services application identification]user@host# set nested-application my-nested-app signature my-nested-app-sig:Social-Website direction client-to-server
- Set the maximum number of transactions
for a match to occur to 3.[edit services application identification]user@host# set nested-application my-nested-app signature my-nested-app-sig:Social-Website maximum-transactions 3
- Set the matching order for this signature
to 5.[edit services application identification]user@host# set nested-application my-nested-app signature my-nested-app-sig:Social-Website order 5
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding Junos OS Application Identification Custom Application Definitions
- Understanding Junos OS Application Identification Application Package
- Understanding Junos OS Application Identification Services
